Trying to get an MX to pass IPSec client traffic from LAN side to host VPN on public IP Fortigate

Here to help

Trying to get an MX to pass IPSec client traffic from LAN side to host VPN on public IP Fortigate

Hi alll -


I am trying to configure my MX-450  to allow an IPSec VPN tunnel from an NCP IPSec client on the inside of the MX to connect to a Fortigate 100F firewall on the outside.

(The NCP client is the preferred client of the vendor involved - I cannot simply use the Forticlient, for those who might wonder. Nor can I ask the other company to switch to SSL VPN technology)

I have a public IP for the Fortigate on the host VPN side  -- when I route that IP through a non-Meraki firewall (an ASA), the VPN works fine - when I route that public IP  through the MX 450, the IPSec tunnnel setup fails every time.
I have a "permit any" rule allowing full unrestricted no-blocks access to that public IP in the Firewall rules in the MX.
Seems like that should be sufficient to allow UDP/500 and other ISAKMP/IPSec traffic through?


Is there somewhere else in the MX I have to go establish special rules or anything to allow IPSec passthrough to work right? 


Thanks TIm

8 Replies 8
Kind of a big deal
Kind of a big deal

All you need is UDP/500 and UDP/4500, and yes, your "permit any" will handle that unless the traffic is denied in rules above that permit.

Do you perhaps have a site-2-site VPN between your MX and that Fortinet? That would be a reason that the client VPN will fail.

Kind of a big deal
Kind of a big deal

It'll have complications if Client VPN is enabled on the MX as well, as that uses the same initial ports.

A client on the inside is whitelisted.

The Fortigate public IP has a permit any/any/pubIP/any rule 


I'll check that  idea. 

The MX is supporting Meraki L2L VPN peers, so I can't disable that.


We are NOT using any VPN that isn't Meraki based, insofar as what terminates on the MX-450.

The Fortigate is not connected to our network in any way - it's a far-end public IP connection, with clients

attempting to connect to it by going _through_  the Meraki along the way. 


Does the L2L Meraki VPN setup use IPSec and thereby UDP/500 and UDP/4500 ?

or is that some proprietary non-IPSec setup from Meraki?


We aren't doing client VPN on that firewall.


Thanks Tim


Kind of a big deal
Kind of a big deal

To further investigate if the problem is related to any IPsec-VPN on the MX, I would add a 1:1 NAT with it's own IP for this particular PC and see if that works. If yes, it's likely that it is somehow related to the actual VPN-Config.

Hi --


So, it is not true that this should NOT be a problem for a CLIENT coming from "behind" the Meraki firewall, as a client would be source-ported higher than UDP/500 and UDP/4500?


I can see the problem in having a Fortigate or other firewall BEHIND the Meraki, and having it trying to terminate incoming VPN sessions - when both it and the Meraki want to use UDP/500 


However -- this is an IPSec client behind the Meraki launching an outbound VPN, going off into the Internets

to talk to the Fortigate on the public Internet.


I did try assigning a public IP (NAT) to my client PC behind the Meraki 450.

That made no difference - the VPN session between my IPSec client and the Fortigate out on the Internet still failed to launch.


Thanks Tim



Kind of a big deal
Kind of a big deal

Can you do a packet-capture on the LAN and on the WAN-side of the MX450 with a filter of the IP of the other sides VPN-gateway? Perhaps that gives a hint of the problem.

Kind of a big deal

@treimers you could have a problem with an IPSec client behind a Meraki firewall depending on the client operation, and what services you are running on the MX.


  • Meraki AutoVPN - shouldn’t cause any issues. Although it is IPSec based it uses ports negotiated through the VPN registry, not the standard ports.
  • Third party peers in Site-to-site VPN - having these configured could cause you problems as these use the standard IPSec ports to establish the connection.
  • Client VPN - if you have the L2TP client VPN enabled them this may well be causing you issues as it uses the standard IPSec ports.

Hope this provides some idea where to look/check.

Kind of a big deal
Kind of a big deal

Make also sure that the VPN-client *and* the gateway have NAT-Traversal (NAT-T) enabled.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.